Prevent Modifications to Security Settings on Mobile Devices
Mobile devices ensure users cannot change or disable security features once set up.
Plain language
This control ensures that once security settings are configured on a mobile device, they cannot be turned off or changed by someone not authorised to do so. This is important to prevent accidental or intentional weakening of security, which could expose sensitive information or lead to data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
Mobile devices prevent personnel from disabling or modifying security functionality once provisioned.
Why it matters
If users can disable or alter provisioned mobile security features, devices can become non-compliant, enabling unauthorised access and data leakage.
Operational notes
Use MDM to enforce non-removable security profiles and restrict user changes; regularly review compliance reports to confirm key settings remain locked.
Implementation tips
- IT team: Configure mobile device management software to lock security settings after initial setup. This involves setting up policies that restrict changes to security features such as PIN codes, encryption, and remote wipe capabilities.
- System owner: Work with your IT provider to define and document the essential security features that must be locked down. This involves determining which features are critical to maintain, such as firewalls, antivirus programs, and location tracking.
- IT security manager: Clearly communicate to all staff why security settings on their work devices cannot be modified. Hold a training session or distribute a simple guide explaining the potential risks of tampering with these configurations.
- Managers: Regularly review and update the list of mobile devices and ensure they're enrolled in the device management system. Check that all new devices are properly set up before they are handed out to staff.
- Procurement team: Ensure all new mobile devices are compatible with your organisation's mobile device management system rules. This includes checking specifications with vendors to confirm they support necessary security configurations before purchase.
Audit / evidence tips
- AskThe mobile device configuration policy document: Ensure it includes rules that lock security settings on devices GoodIs a comprehensive policy outlining security locking procedures for all device types
- AskA report from the mobile device management system: Check for a list of devices and their security configuration status
- AskTraining records covering mobile device security. Look to see that all staff have completed sessions on the importance of maintaining security settings GoodIncludes attendee lists and training dates
- AskTo see a sample of device compliance reports generated automatically by the management system GoodReport shows ongoing monitoring with no deviations from organisational policies
- AskIncident records related to unauthorised changes to mobile devices GoodShows minimal or zero incidents with documented remedial action
Cross-framework mappings
How ISM-0864 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.1 | ISM-0864 requires mobile devices to prevent personnel from disabling or modifying provisioned security functionality | |
| Annex A 8.9 | ISM-0864 requires mobile devices to lock down security settings so users cannot disable or modify security functionality after provisioning | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.